Aaa authorization subscriber-service default group

Dear All
I am configuring Broadband  RAS over PPPoe on Cisco 7206 ( IOS  12.2(33) SRD).
some   commands i am not able to run like
aaa   authorization subscriber-service default group AAA-SERVERS
aaa server radius sesm
scenario is   like this
END   User-> Broadband RAS->(Management software with DHCP  server)->  Bandwidth manager-> core Router -> Internet
Broadband   RAS will manage All internet user with the help of management software.
please  help  me
vikas

Hi
The Output that you post System image file is "disk2:c7200p-ipbase-mz.124-15.T9.bin" not support this feature.
The Below IOS Support the AAA Authorization and Authentication Cache , AAA server group  & These are IPBase W/O Crypto
15.0(1)M2
c7200-ipbase-mz.150-1.M2.bin
512
64
15.0(1)M1
c7200-ipbase-mz.150-1.M1.bin
512
64
15.0(1)M
c7200-ipbase-mz.150-1.M.bin
512
64
12.2(33)SRE1
c7200-ipbase-mz.122-33.SRE1.bin
512
64
12.2(33)SRE
c7200-ipbase-mz.122-33.SRE.bin
512
64
12.2(33)SRD4
c7200-ipbase-mz.122-33.SRD4.bin
128
64
12.2(33)SRD3
c7200-ipbase-mz.122-33.SRD3.bin
128
64
12.2(33)SRD2a
c7200-ipbase-mz.122-33.SRD2a.bin
128
64
12.2(33)SRD2
c7200-ipbase-mz.122-33.SRD2.bin
128
64
12.2(33)SRD1
c7200-ipbase-mz.122-33.SRD1.bin
128
64
12.2(33)SRD
c7200-ipbase-mz.122-33.SRD.bin
128
64
12.2(33)SRC6
c7200-ipbase-mz.122-33.SRC6.bin
128
64
12.2(33)SRC5
c7200-ipbase-mz.122-33.SRC5.bin
128
64
12.2(33)SRC4
c7200-ipbase-mz.122-33.SRC4.bin
128
64
12.2(33)SRC3
c7200-ipbase-mz.122-33.SRC3.bin
128
64
12.2(33)SRC2
c7200-ipbase-mz.122-33.SRC2.bin
128
64
12.2(33)SRC1
c7200-ipbase-mz.122-33.SRC1.bin
128
64
12.2(33)SRC
c7200-ipbase-mz.122-33.SRC.bin
128
64
Regards
Chetan Kumar

Similar Messages

  • Allow some show commands in AAA Authorization Set

    I'm working on creating AAA authorization sets for our environment and ran into a question!
    I'd like to be able to enable ALL show commands except 'show run'.  I would also like to enable 'show run interface'.  I've figured out how to enable all show commands and disable show run.  The problem I'm finding is that since 'show run interface' is a subset of 'show run' it seems to disable.  Even if I try to explicitly enable it.
    Is there a way to disable 'show run' but enable all other show commands and 'show run interface' with a AAA authorization set?
    ACS Version 4.1.
    Command set is configured:

    Changing it to 'deny running-config' does the exact same thing.  It looks like it's seeing the 'show running-config' then stoping on that before anything else.  I've tried adding 'permit run interface' in ACS and same thing.  Other AAA Authorization set commands work just fine.
    On the switch (its a 2960G-8TC-K) running 12.2(58)SE2.
    aaa group server tacacs+ SHS
    server 10.10.11.200
    aaa authentication login verifyme group TACACS+ local
    aaa authorization config-commands
    aaa authorization exec verifyme group TACACS+ local
    aaa authorization commands 0 default group TACACS+
    aaa authorization commands 1 default group TACACS+
    aaa authorization commands 15 default group TACACS+
    aaa accounting send stop-record authentication failure
    aaa accounting exec verifyme start-stop group TACACS+
    aaa accounting commands 15 default start-stop group TACACS+
    aaa accounting network verifyme start-stop group TACACS+
    aaa accounting system default start-stop group TACACS+
    aaa session-id common
    Debugs!
    Jun 21 11:07:39: AAA: parse name=tty0 idb type=-1 tty=-1
    Jun 21 11:07:39: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
    Jun 21 11:07:39: AAA/MEMORY: create_user (0x3A790DC) user='test' ruser='SGAVEJ01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Port='tty0' list='' service=CMD
    Jun 21 11:07:39: AAA/AUTHOR/CMD: tty0 (4105592267) user='test'
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV service=shell
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd=show
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=running-config
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=interface
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=GigabitEthernet
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=0/1
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): send AV cmd-arg=
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD(4105592267): found list "default"
    Jun 21 11:07:39: tty0 AAA/AUTHOR/CMD (4105592267): Method=TACACS+ (tacacs+)
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): user=test
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV service=shell
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd=show
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=running-config
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=interface
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=GigabitEthernet
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=0/1
    Jun 21 11:07:39: AAA/AUTHOR/TAC+: (4105592267): send AV cmd-arg=
    Jun 21 11:07:39: TAC+: Using default tacacs server-group "TACACS+" list.
    Jun 21 11:07:39: TAC+: Opening TCP/IP to 10.10.11.200/49 timeout=5
    Jun 21 11:07:39: TAC+: Opened TCP/IP handle 0x3A41210 to 10.10.11.200/49 using source 10.40.0.14
    Jun 21 11:07:39: TAC+: 10.10.11.200 (4105592267) AUTHOR/START queued
    Jun 21 11:07:39: TAC+: (4105592267) AUTHOR/START processed
    Jun 21 11:07:39: TAC+: (-189375029): received author response status = FAIL
    Jun 21 11:07:39: TAC+: Closing TCP/IP 0x3A41210 connection to 10.10.11.200/49
    Jun 21 11:07:39: AAA/AUTHOR (4105592267): Post authorization status = FAIL
    Jun 21 11:07:39: AAA/MEMORY: free_user (0x3A790DC) user='test' ruser='SGAVEJ01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 vrf= (id=0)

  • AAA authorization not working

    Hi,
    Configured the switch for the AAA authentication it's getting authenticated but it's failing for authentication.
    When connected to console it worked-  Authenticated and then supplied the enable password.
    When telneted : it says "access approved" and  "authorization failed"
    Relevant switch configuration is as follows  and also debug of aaa authorization.
    +++++++++++++++++++++++++++++
    no service single-slot-reload-enable
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    hostname Switch
    aaa new-model
    aaa authentication login default group radius local
    aaa authentication enable default enable
    aaa authorization config-commands
    aaa authorization exec default group radius if-authenticated local
    aaa authorization commands 15 default group radius if-authenticated local
    enable secret 5 $lkl34579231$uK8U$B4sL3AiXAEUzZ8o.Dv34Y/
    username cisco privilege 15 password 7 05080F1C224233 
    vlan 10
    vlan 120
    ip subnet-zero
    vtp mode transparent
    spanning-tree extend system-id
    interface FastEthernet0/1
      switchport access vlan 10
      switchport mode access
      no ip address
      spanning-tree portfast
    interface GigabitEthernet0/1
      no ip address
    interface GigabitEthernet0/2
      no ip address
    interface Vlan1
      no ip address
      shutdown
    interface Vlan120
      ip address 10.12.8.70 255.255.255.240
    ip default-gateway 10.12.8.65
    ip classless
    ip http server
    radius-server host 192.168.38.169 auth-port 1812 acct-port 1813
    radius-server host 10.12.1.142 auth-port 1812 acct-port 1813
    radius-server retransmit 3
    radius-server key cisco
    line con 0
    line vty 0 4
      password 7 grrfcb7swe
      transport input telnet
    line vty 5 15
    end
    Debug output :
    Switch#
    21:45:02: AAA/AUTHEN/CONT (2947331915): continue_login (user='(undef)')
    21:45:02: AAA/AUTHEN (2947331915): status = GETUSER
    21:45:02: AAA/AUTHEN (2947331915): Method=radius (radius)
    21:45:02: AAA/AUTHEN (2947331915): status = GETPASS
    21:45:06: AAA/AUTHEN/CONT (2947331915): continue_login (user='wrrt\trial1')
    21:45:06: AAA/AUTHEN (2947331915): status = GETPASS
    21:45:06: AAA/AUTHEN (2947331915): Method=radius (radius)
    21:45:07: AAA/AUTHEN (2947331915): status = PASS
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Port='tty1' list='' service=EXEC
    21:45:07: AAA/AUTHOR/EXEC: tty1 (284909353) user='wrrt\trial1 '
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV service=shell
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): send AV cmd*
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): found list "default"
    21:45:07: tty1 AAA/AUTHOR/EXEC (284909353): Method=radius (radius)
    21:45:07: AAA/AUTHOR (284909353): Post authorization status = FAIL -------------------------#  authorization failed #
    21:45:07: AAA/AUTHOR/EXEC: Authorization FAILED
    21:45:09: AAA/MEMORY: free_user (0xDF12AC) user='wrrt\trial1' ruser='' port='tty1' rem_addr='10.12.7.71' authen_type=ASCII service=LOGIN priv=1
    Switch#
    Switch#
    Do we need to change anything on Radius server or can we change the authorization preference to local and then to radius.
    Please share the experience.
    Thanks in advance,
    Subodh

    Hi Subodh,
    I understand that you are trying to use command authorization using RADIUS.
    aaa authorization commands 15 default group radius if-authenticated local
    Command authorization is not supported in RADIUS. RADIUS does not allow users to control which commands can be executed       on a router and which cannot.
    Please refer the following link:
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
    You need to use TACACS+ for configuring command authorization for IOS and PIX/ASA.
    Regards,
    Karthik Chandran
    *kindly rate helpful post*

  • AAA Authorization with ACS Shell-Sets

    Hi all,
    I am using a cisco 871 router running Version 12.4(11)T advanced IP Services.
    I am having trouble getting AAA Authorization to work correctly with ACS.
    I am able to set the users up on ACS fine and assign them shell and priv level 7.
    I then setup a Shell Auth Set, and enter in the commands show and configure.
    When I log in as a user, I get an exec with a priv level of 7 no problems, but I never seem to be able
    to access global config mode by typing in conf (or configure) terminal or t.
    If I type con? the only command there is connect, configure is never an option...
    The only way I can get this to work is by entering the command:
    privilege exec level 7 configure terminal
    I thought the whole purpose of the ACS Shell Set was to provide this information to the Router?
    This is most frustrating
    The ACS Server is set up with a Shell Command Authorization Set named Level_7
    It is assigned to the relevant groups and I even have the "Unmatched Commands" option selected to "Permit"
    The "Permit Unmatched Args" is also selected.
    See an excerpt of my IOS config below:
    aaa new-model
    aaa group server tacacs+ ACS
    server 10.90.0.11
    aaa authentication login default group ACS local
    aaa authorization exec default group ACS
    aaa authorization commands 7 default group ACS local
    tacacs-server host 10.90.0.11 key cisco
    privilege exec level 7 configure terminal
    privilege exec level 7 configure
    privilege exec level 7 show running-config
    privilege exec level 7 show
    Hope you can help me with this one..
    P.s I have tried it with the privilege commands on the router and removed from the router and just keep getting the same results!?

    Hi,
    So here it is,
    You are actually using two different options and trying to couple then together. What I would suggest you is either use Shell command authorization set feature or play with privilege level. Not both mixed together.
    Above scenario might work, if you move commands to privilege level 6 and give user privilege level 7. It might not sure. Give it a try and share the result.
    This is what I suggest the commands back to normal level.
    Below provided are steps to configure shell command authorization:
    Follow the following steps over the router:
    !--- is the desired username
    !--- is the desired password
    !--- we create a local username and password
    !--- in case we are not able to get authenticated via
    !--- our tacacs+ server. To provide a back door.
    username password privilege 15
    !--- To apply aaa model over the router
    aaa new-model
    !--- Following command is to specify our ACS
    !--- server location, where is the
    !--- ip-address of the ACS server. And
    !--- is the key that should be same over the ACS and the router.
    tacacs-server host key
    !--- To get users authentication via ACS, when they try to log-in
    !--- If our router is unable to contact to ACS, then we will use
    !--- our local username & password that we created above. This
    !--- prevents us from locking out.
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ local
    aaa authorization config-commands
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    !--- Following commands are for accounting the user's activity,
    !--- when user is logged into the device.
    aaa accounting exec default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    Configuration on ACS
    [1] Goto 'Shared Profile Components' -> 'Shell Command Authorization Sets' -> 'Add'
    Provide any name to the set.
    provide the sufficent description (if required)
    (a) For Full Access administrative set.
    In Unmatched Commands, select 'Permit'
    (b) For Limited Access set.
    In Unmatched commands, select 'Deny'.
    And in the box above 'Add Command' box type in the main command, and in box below 'Permit unmatched Args'. Provide with the sub command allow.
    For example: If we want user to be only able to access the following commads:
    login
    logout
    exit
    enable
    disable
    show
    Then the configuration should be:
    ------------------------Permit unmatched Args--
    login permit
    logout permit
    exit permit
    enable permit
    disable permit
    configure permit terminal
    interface permit ethernet
    permit 0
    show permit running-config
    in above example, user will be allowed to run only above commands. If user tries to execute 'interface ethernet 1', user will get 'Command authorization failed'.
    [2] Press 'Submit'.
    [3] Goto the group on which we want to apply these command authorization set. Select 'Edit Settings'.
    (cont...)

  • Command execution get very slow when AAA Authorization enable on ASR 1006

    Without Authorization , I am able work smoothly with just click on ASR ...., But Once I enable Authorization it takes many secs to move to other command exampe ( If i hit config t or int gi1/0/1 , it   take time to move to next command level) ...
    These Authorization issue I am facing only on ASR and for Other Cisco Switches and Router its working fine wiith just a click.
    Did any one face such issue , and how it is fix ...
    See the Show version for ASR
    Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.1(2)S, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Thu 24-Mar-11 23:32 by mcpre
    Cisco IOS-XE software, Copyright (c) 2005-2011 by cisco Systems, Inc.
    All rights reserved.  Certain components of Cisco IOS-XE software are
    licensed under the GNU General Public License ("GPL") Version 2.0.  The
    software code licensed under GPL Version 2.0 is free software that comes
    with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
    GPL code under the terms of GPL Version 2.0.  For more details, see the
    documentation or "License Notice" file accompanying the IOS-XE software,
    or the applicable URL provided on the flyer accompanying the IOS-XE
    software.
    ROM: IOS-XE ROMMON
    NOITDCRTRCORP01 uptime is 10 weeks, 6 days, 1 hour, 16 minutes
    Uptime for this control processor is 10 weeks, 6 days, 1 hour, 19 minutes
    System returned to ROM by reload
    System restarted at 17:47:32 IST Thu Oct 4 2012
    System image file is "bootflash:/asr1000rp1-advipservicesk9.03.03.00.S.151-2.S.bin"
    Last reload reason: EHSA standby down
    AAA Commands on ASR 1006
    aaa new-model
    aaa group server tacacs+ tacgroup
    server 10.48.128.10
    server 10.72.160.10
    ip vrf forwarding Mgmt-intf
    ip tacacs source-interface GigabitEthernet0
    aaa authentication login default group tacgroup local
    aaa authentication enable default group tacgroup enable
    aaa accounting exec default start-stop group tacgroup
    aaa accounting commands 1 default start-stop group tacgroup
    aaa accounting commands 15 default start-stop group tacgroup
    aaa accounting connection default start-stop group tacgroup
    aaa accounting system default start-stop group tacgroup
    aaa authorization commands 0 default group tacgroup none
    aaa authorization commands 1 default group tacgroup none
    aaa authorization commands 15 default group tacgroup none
    aaa session-id common
    tacacs-server host 10.48.128.10 key 7 13351601181B0B382F04796166
    tacacs-server key 7 053B071C325B411B1D25464058

    I think your issue maybe related to your tacacs server. If you  re-order the two servers (typically a 5 second timer before failover  occurs) and see if that improves your performance:
    You  can try to debug the issue by referring to the command reference  guide....i.e. debug tacacs...you can also try to telnet to both ip  address to port 49 to see if the connection opens, in order to rule out  issues where a firewall or routing to one of the tacacs servers is  failing. I also noticed you have the shared secret and tacacs server  defined for one of the servers, is the sam present for the other server  that is in the server group?
    server 10.48.128.10
    server 10.72.160.10
    to
    server 10.72.160.10
    server 10.48.128.10
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Slow response on AAA Authorization

    Hi,
    We were configuring the AAA to use one of the TACACS server for authentication,authorization and accounting purpose. When we did the same, the command executed response become slow and even some times gives a message authorization failed. We thought, there should be useful information on the TACACS server to debug the same, but we were not able to find any message like that. The below is the config added and when we remove the configuration of AAA the login response and the command execution are good. We checked the path to reach from this router to TACACS server and seems good with no packet loss. Your asssistance would be really appreciated.
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa session-id common
    tacacs-server host <ip address> timeout 5
    tacacs-server directed-request
    tacacs-server key <key>
    Regards
    Anantha Subramanian Natarajan

    Hi JG,
    Thanks for the reply.
    Actually, I am not sure whether on our TACACS server,the single connect TACACS+ is enabled or not but I am just curious as the other router having same platform with same configuration details connecting to the same TACACS server is working fine.
    The error message appears frequently and atleast not specific to some command. Infact every other time, it gives the error.
    Our TACACS and SNMP engineer is suggesting to chenage the IOS as it seems have some identified bug related to the SNMP and hopefully we are planning to do the same.
    Meantime , if you can know something more precise or any suggestions would be hugely appreciated.
    Thanks
    Regards
    Anantha Subramanian Natarajan

  • Acs4.1 & aaa authorization & permit show

    Selam,
    I want to deny all commands except "show run" for a group and for all network devices.
    So I created a group on acs4.1 and attached with a "Shell Command Authorization Set" ("permit show runnig-config" - "deny unmatched commands")
    than I used commands which you can see below:
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    NOW: rules are runnig for my new group but other groups which have full access for all devices are failing (% Authorization failed)
    what can be the problem?
    Thanks
    Ozlem

    create another shell command authorization set for full access group and configure it for "unmatched commands - permit"
    and do not enter any command for it.
    That will work for you.
    ~Rohit

  • Command confusion - aaa authorization config-commands

    I created a new Shell Command Authorization Set within ACS to only allow a port to be configured for a voice VLAN.
      >> Shell Command Authorization Sets
          Name: Restricted_Voice
          Description: Configure port voice vlan only.
          Unmatched Commands: Deny
          Add: enable
          Add: configure / permit terminal <cr>
          Add: interface / permit Gi*
          Add: interface / permit Fa*
          Add: switchport / permit voice vlan *
    My switch configuration has the following aaa authorization related lines:
         aaa authorization commands 1 default group tacacs+ if-authenticated
         aaa authorization commands 15 default group tacacs+ if-authenticated
    When I tested the Shell Set, I noticed that all (config) mode commands were allowed (ie description, hostname). It was only after I added "aaa authorization config-commands" to the switch configuration did my Shell Set began working as I expected it to be.
    I went and read up the command reference for "aaa authorization config-commands" in
    http://www.cisco.com/en/US/docs/ios/11_3/security/command/reference/sr_auth.html#wp3587.
    My comprehension of the command is that by just issuing ' aaa authorization commands 15 ....' this command encompasses the checking of config mode commands and that I did not need to add the stand-alone "aaa authorization config-commands" statement. But clearly, from my testing, I needed the extra statement.
    It looks like I resolved my issue and need to add the new statement to all my switches, I'm wondering if someone can help clarify the usage guidelines for me.  I'm I one of the few or only one that misinterpreted these "aaa authorization" commands?

    Hi Axa,
    I have a similar setup and have full Exec Level permissions using only aaa authorization commands level method
    The below is taken from cisco.com and explains that you should not require the
    aaa authorization config-commands unless you have at some point used the no aaa authorization config-commands command to prevent configuration commands from the Exec User
    This in essense is a hidden configured default i.e.you switch on auth for config-commands automatically when you use the aaa authorization commands level method command!
    From Cisco.com (I have underlined the key points)
    aaa authorization config-commands
    To disable AAA configuration command authorization in the EXEC mode, use the no form of the aaa authorization config-commands global configuration command. Use the standard form of this command to reestablish the default created when the aaa authorization commands level method1 command was issued.
    aaa authorization config-commands
    no aaa authorization config-commands
    Syntax Description
    This command has no arguments or keywords.
    Defaults
    After the aaa authorization commands level method has been issued, this command is enabled by default—meaning that all configuration commands in the EXEC mode will be authorized.
    Usage Guidelines
    If aaa authorization commands level method is enabled, all commands, including configuration commands, are authorized by AAA using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using no aaa authorization config-commands stops the network access server from attempting configuration command authorization.
    After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
    Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
    Examples
    The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
    aaa new-model
    aaa authorization command 15 tacacs+ none
    no aaa authorization config-commands

  • AAA Authorization design

    I'm configuring several switches and routers for TACACS with ACS SE. I have a need to do three levels of access, the groups are as follows:
    1. Normal read-only access.
    2. Full access with the exception of config t.
    3. Full access.
    What would be the best way to achieve this goal, I can see that if I create Shell Command Authorization sets on the ACS, I can configure one for group 1 and one for group 3. But will I be able to for Group 2? Is there a way to allow all, but explicitly block one command? Following this page: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml leads me to believe that the capability may exist, but I have no way to confirm at the moment.

    Here are the config required for setting up aaa authentication and authorization.
    Router(config)# username [username] password [password]
    tacacs-server host [ip]
    tacacs-server key [key]
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa authorization config-commands
    All the best !
    Regards,
    ~JG

  • AAA Authorization issue

    Hi All,
    I've got an issue when adding a device to ACS.When I try to login to the device after adding it to the ACS, it does'nt prompt me to enter my tacacs username and password, instead it prompts me to enter the tacacs username/password details when I try to get into the enable mode. Also, once I am in the enable mode, I cant execute any commands as shown below:
    Router01#debug aaa authentication
    Command authorization failed.
    ^
    % Invalid input detected at '^' marker.
    Router01#sh run
    Command authorization failed.
    % Incomplete command.
    The aaa config is as listed below:
    aaa authentication login default group TACACS-GROUP enable
    aaa authentication enable default group TACACS-GROUP enable
    aaa authentication ppp default local
    aaa authorization commands 1 default group TACACS-GROUP if-authenticated
    aaa authorization commands 15 default group TACACS-GROUP if-authenticated
    aaa accounting commands 1 default start-stop group TACACS-GROUP
    aaa accounting commands 15 default start-stop group TACACS-GROUP
    Everything works fine once I remove the device from ACS. How do I get over this issue? Any advice would be much appreciated.
    Regards,
    PV

    PV,
    The reason you are not able to issue any command is because, you have command authorization enabled on Router.
    It seems that you don't want that. You need to remove these commands,
    no aaa authorization commands 1 default group TACACS-GROUP if-authenticated
    no aaa authorization commands 15 default group TACACS-GROUP if-authenticated
    These commands are used to authorize what all command user can issue.
    Please see this link, it explain about setting up command authorization using acs,
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    Regards,
    ~JG
    Do rate helpful posts

  • Exclude specific user from aaa authorization commands

    Hi there,
    I am trying to find a solution to exclude specific users from being authorized (AAA command authorization) when entering commands on the switch/router.
    We use an AAA setup with Cisco ACS. On the devices we use:
    aaa authorization config-commands
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 5 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    is it possible, to exclude an  user, say User1, from being command authorized?
    In other words, when User1 logs on the switch/router, the switch/router shouldn't check the ACS if User1 is authorized to use this command.
    We tried this with method lists in combination with ACL's on the VTY's:
    line VTY 0
    access-class 1 in
    line VTY 1
    access-class 2 in
    Let's say, User1 always logs in from a specific IP, which is mentioned in access-list 2, the switch would use the method mentioned within the line vty 1.
    But apparently, when a remote connection is being established, the switch/router uses the first VTY which is available, instead of watching which ACL can be matched to the source IP from the User.
    Does anyone have some tips/tricks how to handle this?
    Maybe a custom attribute from the ACS?
    Kind Regards

    If that user belongs to a unique group then you can write a policy where "if the user is in group x then return "access_reject" Or return "access_accept" but set the privilege level to "1" and block all commands. 
    Thank you for rating helpful posts!

  • Aaa authorization console command

    Hi,
    I don't really understand the need of the command "aaa authorization console".
    We indeed often configure these lines, which according to me already ar eapplied by default to VTY, Console, etc ...:
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    Am I wrong? Or do these lines apply only to the VTY linse?
    Thanks by advance

    I learned this locking out form console today in the hard-way
    we use as standard
    aaa authentication login default group tacacs+ enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization console
    aaa authorization exec default local group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    and I missed the trailing "if-authenticated" in line "aaa authorization exec default local group tacacs+ if-authenticated", unfortuanatly also the tacacs serves wasn't reachable.
    So no way to log in without the hard way rebooting and reconfiguring again

  • AAA Authorization named authorization list

    Ladies and Gents,
    Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
    Cisco.com extract below
    When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
    Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
    My question is how do you define the Named Method List i.e. the none-default method list?
    I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
    Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
    Thanks in advance
    David

    Hi David,
    An example of a named AAA list might look something like this:
    aaa authorization exec TacExec group AAASrv local
    In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
    Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
    Below is a cut and paste from the AAA section on one of my devices:
    aaa new-model
    ip tacacs source-interface
    tacacs-server host 10.x.x.x key 7
    tacacs-server host 10.x.x.y key 7
    aaa group server tacacs+ TacSrvGrp
    server 10.x.x.x
    server 10.x.x.y
    aaa authentication login default local
    aaa authentication login TacLogin group TacSrvGrp local
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec default local
    aaa authorization exec TacAuth group TacSrvGrp local
    aaa authorization commands 0 default local
    aaa authorization commands 0 TacCommands0 group TacSrvGrp local
    aaa authorization commands 1 default local
    aaa authorization commands 1 TacCommands1 group TacSrvGrp local
    aaa authorization commands 15 default local
    aaa authorization commands 15 TacCommands15 group TacSrvGrp local
    aaa accounting exec default start-stop group TacSrvGrp
    aaa accounting commands 15 default start-stop group TacSrvGrp
    aaa session-id common
    Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
    line con 0
    exec-timeout 5 0
    line aux 0
    exec-timeout 5 0
    line vty 0 4
    exec-timeout 15 0
    authorization commands 0 TacCommands0
    authorization commands 1 TacCommands1
    authorization commands 15 TacCommands15
    authorization exec TacAuth
    login authentication TacLogin
    transport input ssh
    For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
    One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
    Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
    Hope this helps!

  • AAA authorization fails, but still command is executed...

    Hi everyone,
    i've implemented authorization and it basically works. The user can only use a limited set of commands (show int status, conf t, interface ethernet, interface gigabitethernet, interface fastethernet, shut, no shut).
    Now I try to configure a loopback or Vlan interface, which should not be allowed.
    COMMANDS IMPLEMENTED:
    aaa authorization config-commands
    aaa authorization commands 0 vty group tacacs+ none
    aaa authorization commands 1 vty group tacacs+ none
    aaa authorization commands 15 vty group tacacs+ none
    line vty 0 15
    authorization commands 0 vty
    authorization commands 1 vty
    authorization commands 15 vty
    COMMAND AND OUTPUT FROM TESTING:
    SWITCH(config)#int vlan 2
    Command authorization failed.
    DEBUG AAA AUTHORIZATION:
    SWITCH#
    Dec  7 14:31:50: AAA: parse name=tty1 idb type=-1 tty=-1
    Dec  7 14:31:50: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1 channel=0
    Dec  7 14:31:50: AAA/MEMORY: create_user (0x46603F4) user='USER1' ruser='SWITCH' ds0=0 port=
    'tty1' rem_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Port='tty1' list='SCAS' service=CMD
    Dec  7 14:31:50: AAA/AUTHOR/CMD: tty1 (60725991) user='USER1'
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV service=shell
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd=interface
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=Vlan
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=2
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): send AV cmd-arg=<cr>
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): found list "SCAS"
    Dec  7 14:31:50: tty1 AAA/AUTHOR/CMD (60725991): Method=tacacs+ (tacacs+)
    Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): user=USER1
    Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV service=shell
    Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd=interface
    Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=Vlan
    Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=2
    Dec  7 14:31:50: AAA/AUTHOR/TAC+: (60725991): send AV cmd-arg=<cr>
    Dec  7 14:31:50: AAA/AUTHOR (60725991): Post authorization status = FAIL
    Dec  7 14:31:50: AAA/MEMORY: free_user (0x46603F4) user='USER1' ruser='SWITCH' port='tty1' r
    em_addr='10.10.255.249' authen_type=ASCII service=NONE priv=15
    As you can see the reply from the Tacacs is a "FAIL", but still the command is executed.
    RESULT:
    SWITCH#sh run int vlan 2
    Building configuration...
    Current configuration : 38 bytes
    interface Vlan2
    no ip address
    end
    QUESTION:
    I don't understand what the problem is...Since I get a FAIL from the Tacacs Server I assume that the configuration on that side is fine.
    But why would the switch ignore a FAIL and still execute the command? Same problem exists with the Loopback-Interface.
    Is this me not understandig the basic concept of AAA or is this some other problem?
    The Switch is a Cisco WS-C3750-24TS (running c3750-ipbasek9-mz.122-50.SE2.bin).
    The Tacacs runs Cisco Secure ACS4.2.0.124
    Thanks,
    Tom

    Hi Tom,
    this is CSCtd49491 : TACACS+ command authorization for interface configuration fails .
    The bug is currently in a Closed state, meaning that the "Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases."
    As far as I can tell, the impact is rather limited since the interface that gets created will have no effect unless the vlan exists, and even then the effect is minimal since it cannot be configured.
    You may want to open a TAC case or work with your account team to get the bug re-opened if this is still a concern though.
    hth
    Herbert

  • No "list-name" option availbale for aaa authorization command.

    I have a 1721 router running 122-15.T14 and want to implement authorization but the router does not provide command option for list name.
    I want to implement the following command:
    "aaa authorization network groupauthor group radius"
    but the only option is default after "network".
    Router#sh ver
    Cisco Internetwork Operating System Software
    IOS (tm) C1700 Software (C1700-K9SY7-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2004 by cisco Systems, Inc.
    Compiled Fri 27-Aug-04 23:26 by cmong
    Image text-base: 0x80008120, data-base: 0x80F731A0
    ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)
    ROM: C1700 Software (C1700-K9SY7-M), Version 12.2(15)T14, RELEASE SOFTWARE (fc4)
    Router uptime is 5 minutes
    System returned to ROM by reload
    System image file is "flash:c1700-k9sy7-mz.122-15.T14.bin"
    cisco 1721 (MPC860P) processor (revision 0x400) with 56844K/8692K bytes of memory.
    Processor board ID FOC08302CF6 (610086355), with hardware revision 0000
    MPC860P processor: part number 5, mask 2
    Bridging software.
    X.25 software, Version 3.0.0.
    1 FastEthernet/IEEE 802.3 interface(s)
    2 Serial(sync/async) network interface(s)
    32K bytes of non-volatile configuration memory.
    32768K bytes of processor board System flash (Read/Write)
    Configuration register is 0x2102
    Router(config)#aaa authorization network ?
    default The default authorization list.
    Router(config)#aaa authorization network

    I think that your issue is version related. I have a customer who is running a bunch of 1721 routers and when I do aaa authorization network ?
    I get both default and the option to name a list.
    I checked with the Software Advisor on CCO and it looks to me like the named-list feature was added in 12.3. As long as you are running 12.2 I do not think you will have the option for a named-list for network authorization.
    HTH
    Rick

Maybe you are looking for

  • Script won't run in firefox but does in IE, chrome and safari

    i have a landing page with a web form script, www.wholewoman.com/newpages/landing/helpforcystocele.html. the script does not show up in firefox. further, none of our videos (served from kaltura (CDN) show up in firefox. nor does the registration scri

  • Provide self-service user with information about his/her VM? IP address at a minimum?

    Just setup a private cloud using VMM 2012 Sp1 as well as app controller 2012 SP1 fresh installs on Server 2012.  Since it's a lab, app con is installed on VMM server. I have the cloud and templates and service templates and self service working as we

  • MacBook Air stuck on start-up screen - cannot login

    Macbook Air - 3 months old. It was shut down ok but now when trying to login the username and password fields remain blank when typing in. After hitting a few keys it acts like one key is stuck (it isn't) and random characters get input into the fiel

  • Rate Contract Purchase Order ! Urgent

    Rate contract purchase order – My Client Don’t wants to enter quantity in the Purchase Order – The purchase order is called as Rate contract purchase order (Contract for Per Unit rate of material only). Purchase order is created without entering the

  • Error in displaying TripForm

    Hi, Using SAP standard ESS / Travel Management we want to display the trip form from the service My Trips and Expenses > tab All My Trips. When selecting Display/Print button the error message is appearing: "An error occured while starting the iView.